Yeah. This is a programming task rather than a configuration task,
On Sep 14, 2006, at 1:50 AM, Simon Hang wrote:
But REMOTE_USER environment variable is only available in CGI mode.
It's okay for zope3, but no working for zope3.
I know there is a way to do similar things: use apache 2.0.x and
mod_auth_sspi and pass the information either use http head or part
of URL. But it's a not very nice solution. That's why I started to
look an alternative solution. But it seems impossible to implement
in zope3 use auth-plugin.
Maybe it's time to stop thinging about this. :(
On 9/14/06, Chris McDonough <[EMAIL PROTECTED]> wrote: The right
thing to do here is probably to just use something like
http://modntlm.sourceforge.net/ and trust the REMOTE_USER environment
variable passed by Apache... let somebody else worry about
maintaining it. ;-) One strategy for doing this is described at
On Sep 13, 2006, at 9:37 AM, Philipp von Weitershausen wrote:
> Gary Poster wrote:
>> On Sep 13, 2006, at 2:30 AM, Philipp von Weitershausen wrote:
>>> Simon Hang wrote:
>>>> I'm thinging to write a NTLM credential plugin for zope3. But
>>>> as I know, ntlm use 4-way handshake procedure, that means it
>>>> needs two round-trips between server(zope3) and client(browser).
>>>> When I look in the credential plugins, it has challenge mothed.
>>>> But seems it is only design for 1 round-trip protocol. It can
>>>> issue one challenge, and return to parent script.
>>> I don't see how the PAU only allows one "round-trip".
>> AIUI (I just looked up NTLM last night out of curiosity: see
>> http://www.innovation.ch/personal/ronald/ntlm.html), the problem
>> is that the 4 way handshake has to happen *within a single
> Ack. Ok, I didn't know that. Frankly, I personally don't care much
> about NTLM anyways...
>> Apparently MS abuses HTTP to perform this. Implementing it in
>> pluggable auth made me scratch my head a bit, so I didn't reply.
>> You would need to slurp the request, then push back to the
>> response, then slurp the same request again, then push back to the
>> response, then slurp one more time, and finally reply with the
>> real request. Describing the problem to Benji, he mentioned WSGI--
>> that does seem like the only way I can imagine this working, and
>> that would be tricky enough, especially if you needed to reach
>> into Zope for the managed credentials. Once the WSGI plugin did
>> its magic, it would need to put something in the WSGI request that
>> a pluggable auth plugin was willing to accept as authentication.
>> On the bright side, if you did this with WSGI you might be able to
>> offer this as a generic Python WSGI NTLM tool that required only
>> minimal integration with the back end app server.
> Yes, WSGI definitely sounds like a good place to put this then.
> Perhaps the WSGI middleware could "fake" a client that uses a more
> standard authentication system (e.g. Basic Auth) to the WSGI
> application, that way it'd be transparent to the WSGI application.
> Not sure if that's possible with NTLM, though.
> Zope3-users mailing list
Zope3-users mailing list
Zope3-users mailing list